Author: Thomas Wilhelm
Are you interested in a career in penetration testing, and don’t know where to start? Here is a book that gathers all the relevant information in one place, and gives a good overview of what the job entails and what skills are needed.
About the author
Thomas Wilhelm has been employed by Fortune 100 companies to conduct risk assessments, penetration testing efforts, and manage information systems security projects. He currently performs security training courses for both civilian and government personnel.
Inside the book
As any book addressing the topic of pentesting should, this one starts with a chapter on ethics. Technically, pentesters are hackers who chose to be the “good guys”, and here is where you’ll learn what that means in practice.
The next chapter is crucial, as it explains how to set up a basic pentesting lab using a virtual network, and then create more complex ones that will mirror corporate computer environments. One of the most difficult problems for aspiring pentesters is to find a target that will offer a challenge (and must, therefore, be set up by a person that is not the pentester) but that is legal to target. In this day and age, it’s getting more difficult to find such resources, and this will point you in the right direction.
The book links to additional resources and downloads of pre-set virtual images and configuration files to use for setting up the lab.
Aside from the expected technical chapters on pentesting methodologies and frameworks, there are a few that will give an outsider more insight in the other aspect of the job: organizing and managing a pentesting project (within an organization ans as a solo consultant), and reporting its result in a helpful and effective manner to the companies.
Lastly, he also includes a great chapter on “Hacking as a Career,” in which he addresses career paths, certifications, associations and organizations, information on where to look for job listings (and what to look for in them) and other types of opportunities to build up experience. He dissects the subject through the prism of his own work experience, which gives some good insights on how things have changed since he first started.
This is the second edition of a book that was first published in 2009 and was very successful. I don’t doubt that this one will be, as well, as this new version has been considerably expanded to cover the many things that changed in this field since then.
This edition also concentrated more on attacks directed at the labs the aspiring pentesters have set up instead at online resources, and includes more complex attacks. It also makes a (previously unacknowledged) distinction between external and internal pentests.
Some things may have changed, but the author’s writing style has remained as fresh and as compelling as in the past. This time around the book is structured better, and I loved the bite-sized tips and warnings interspersed throughout the book.